Dear Patient,
we would like to provide you with some information on the EU Regulation 2016/679 of the European Parliament and Council of 27 April 2016 (“Regulation”) on data processing carried out at ISMETT – Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione S.r.l (“ISMETT”). You will receive documents that concern your involvement in activities such as drug trials or generic data collection.
ISMETT is a center of excellence in the field of transplantation and highly specialized therapies, accredited by Joint Commission International, an international body that certifies excellence of health care organizations, and compliance with high standards of quality and safety recognized by the international scientific community.
ISMETT was created by a partnership between the Region of Sicily and UPMC (University of Pittsburgh Medical Center) based in Pittsburgh, Pennsylvania, U.S. This collaboration resulted from the need to provide state-of-the-art clinical services using the experience and know-how of UPMC and of its network of hospitals (“UPMC Group“), with which there is a continuous exchange of information. In order to ensure a close collaboration with these top international facilities, ISMETT’s management was entrusted to UPMC Italy (“UPMCI”), the Italian subsidiary of the UPMC Group.
ISMETT will ask you or third parties (e.g., your family doctor) to provide your personal data (name, address, etc.), information on your health status (diseases, lab results, diagnostic tests, ongoing therapies) and, if required, on your sex life or social and psychological scope. During your treatment it may become necessary to obtain some images of you for purpose of consults, also using telemedicine, performed by external experts to assess your health status. To safely verify your identity you will be asked to wear a wristband that includes your personal information (name, surname, date of birth, patient code and visit code) by means of RFID (radio frequency identification) technology. This device associates you in a safe and reliable way with your lab tests, test tubes, blood units, and other information.
Your personal data is collected and processed so that you can receive the necessary clinical services (outpatient procedures, admissions, and in general, patient care, diagnosis, rehabilitation, and prevention) and to fulfill the related administrative and accounting requirements. In addition, if required, we will send you treatment plans, and how to prepare for tests. The legal basis of data processing is art. 6.1.b of the Regulation (processing necessary for the performance of a contract to which the data subject is a party) and art. 9.2.h of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to contract with a health professional”).
To this extent, your data may be shared with the following:
- family doctors;
- social security institutions, insurance companies covering civil liability of ISMETT towards third parties or providing ancillary clinical services to ISMETT, and professionals who may be involved in the defense of ISMETT and of its staff;
- Health service, institutions and municipalities (for example, for verification of social services or their activation); diplomatic offices; institutions, and surveillance bodies and agencies to verify the provision of patient care services (e.g. [Italian] Provincial Health Authority, a.k.a. “ASP”); certifying bodies (e.g., JCI, OHSAS, ISO) for relevant certifications, and third parties auditing the quality and appropriateness of the patient care services delivered to promote quality improvement of services and care;
public and private hospitals (for tests and exams that cannot be performed at ISMETT), the national and regional transplant centers, diseases registries, public and private research centers, and for any other legal obligation.
With the purpose of improving its clinical services and contributing to general medical knowledge, ISMETT is involved in many research projects (both internal and in collaboration with other centers inside and outside the European Union). Specifically, ISMETT carries out research activity in the following areas: transplantation and end-stage organ failure; innovative surgical and diagnostic and interventional radiology and endoscopy techniques; regenerative medicine; clinical immunology and immunotherapy; infectious diseases and molecular medicine; Information & Communication Technology applied to health care.
Many of these studies can be performed using information already collected during: (i) regular patient care activity; (ii) previous clinical studies; (iii) from biological samples collected for patient care and stored in the biological material storage systems of ISMETT’s Pathology Laboratory and of the laboratories of the Department of Laboratory Medicine and Advanced Biotechnologies. Participating to these research projects will not interfere in any way with regular patient care and requires no additional tests or treatments for patients. These studies will not collect genetic data (i.e. personal data relating to inherited or acquired genetic characteristics of a natural person providing unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question).
In order to protect the privacy, the patients’ personal data is removed from the information, clinical data and biological samples used for these studies, and replaced with an alphanumerical code that does not allow to trace the patient’s identity. The list that allows to associate this code with the patient’s personal data is in the possession exclusively of the principal investigator and filed as confidential documentation.
Encoded data is used during data processing and storage, and when forwarding data to the other subjects involved in the study (the list of centers involved in the studies is available from the Office of Research contacting direzionescientifica@ismett.edu). Access to data directly ascribable to the patient may only take place when extracting data from the original clinical documentation and during potential monitoring activity (i.e. checking for correspondence of the data used for research with those contained in the medical record), or should this be necessary to update the research data. Data is stored for a period of at least seven years after the completion of the research project, or for a longer period in compliance with the applicable laws or agreements between the participating centers. Encryption is used for data storage and transfer, preventing access by unauthorized parties. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the data subjects.
A list of studies in progress, divided by area, is available at ISMETT and at www.ismett.edu . In addition, if interested, you will be able to meet the principal investigators or the Data Controller – Research Office for further information.
In order to use a patient’s biological samples and health information for research purposes, the patient must give consent, as the legal basis for data processing (art. 6.1.a) of the Regulation and, as regards the exemption from the prohibition on the processing of particular data, art. 9.2.a of the Regulation – “explicit consent of the data subject to the processing”). Therefore, if you wish to allow ISMETT (in collaboration also with centers based in non-EU countries, in which an adequate level of protection of personal data may not be guaranteed, according to European legislation, but which will adopt the guarantees prescribed by articles 46 and following of the Regulation) to use your clinical information and samples collected as part of patient care activities (or in the course of other research projects in which you have participated), please give your consent ticking the appropriate boxes at the bottom of this document. Please remember that you are free to provide or to deny your consent. Please note you may deny or withdraw your consent to data and sample processing at any time, and that this will not affect your treatment. In this case the biological sample, if still attributable to you, will be destroyed (except for preservation for purposes of treatment only).
ISMETT intends to participate in research projects regulated by laws, in the areas indicated above. In order to use the clinical data of a patient for purposes of research, the patient must have previously expressed his/her informed consent as legal basis of data processing (art. 6.1.e) of the Regulation “Performance of a task in the public interest”, as regards exemption from the prohibition on the processing of particular data, art. 9.2.j of the Regulation – “scientific research according to the rule of law”). Data is stored for a period of at least seven years after the completion of the research project, or for a longer period in compliance with the applicable laws or agreements between the participating centers.
ISMETT is committed to monitor and assess the effectiveness of the patient care delivered, its appropriateness and quality as well as clinical risk factors beyond those provided for by law. In particular, the goal of ISMETT is to assess and compare the appropriateness, efficacy, effectiveness and efficiency of care delivered to different population groups or in different facilities, also with reference to specific diseases or health issues. In order to use patients’ personal data for such purposes, the patients must express informed consent as legal basis of data processing (art. 9.2.a of the Regulation – “explicit consent by the data subject to data processing”). If you wish to authorize ISMETT to process your data, also collected in the past, to conduct these important tests that could provide useful information for your treatment, please give your consent by ticking the appropriate box at the bottom of this document. If you do not express your consent we will not be able to use the data for these tests. You will however still be entitled to receive care at ISMETT. Also, ISMETT will be involved in surveillance systems and registries collecting data on diseases and risks for the patients’ health under the current regulations. For the use of data as part of these activities it is not necessary to collect the consent of patients as, in fact, provided for by the law (article 6.1.b) of the Regulation, “processing is necessary to fulfill a legal obligation” and, as to the exemption from the prohibition of the processing of particular data, art. 9.2.i of the Regulations “treatment necessary for the guarantee of high parameters of quality and safety relating to patient care, medicines and medical devices, required by law”)
If you sign the consent you will receive information on ISMETT projects and services, campaigns, and fund raising initiatives. For this purpose, the legal basis of the processing is represented by the consent (art. 6.1.a) of the Regulation and, as regards the exemption from the prohibition of processing particular data, art. 9.2.a of the Regulation – “explicit consent of the data subject”). The data will be stored for 24 months. If you do not express your informed consent we will not be able to send you this materials.
An electronic file is used at ISMETT, also known as “dossier sanitario”, that allows clinicians to access all patient care documentation at ISMETT, also in the past (clinical history). This tool enables clinicians to access more complete information on patients’ health status (the so-called clinical history) improving the treatment. It can only be activated with the patient’s consent.
Therefore, only where you give consent to the creation of your electronic file (as the basis of lawfulness of processing under art. 6.1.a of the Regulation and, as regards the exemption from the prohibition of processing particular data, of the art. 9.2.a of the Regulation – “explicit consent of the data subject”), ISMETT clinicians will be able to access information relating to the treatment performed at ISMETT, also at different times. You may decide for specific information to not be included in your electronic file, asking the Director of Health Care Activities to obscure this information. To file this request, contact direzionesanitariaprivacy@ismett.edu. In the same way, you may oppose at any time to adding further data to your electronic file, while still being entitled to receive care at ISMETT, as well as withdrawing your decisions at any time. You will be asked to expressly authorize the inclusion in your electronic file also of data subject to higher levels of protection of anonymity (e.g., , data relating to acts of sexual violence or pedophilia, voluntary interruption of pregnancy, HIV infections or use of narcotics, psychotropic substances and alcohol).
Should you not consent to creating your electronic file, the physicians and health care providers will only be able to access data relating to that particular treatment. Without prejudice to your freedom to provide or to deny consent to the creation of your electronic file, please be aware that having health care providers not being able to access information on specific tests or treatments may negatively affect your care, entailing a release of liability for the above mentioned clinicians.
Finally, please note your electronic file could be accessed, also without your consent, should this be deemed necessary to protect the physical safety of a third party or of the community.
Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.
Your personal data will be processed by the clinical and administrative staff of ISMETT and UPMCI that received specific instructions on the purposes and methods of data processing, and are obliged to comply with professional secrecy and privacy. For training purposes, clinical treatments may be performed in the presence of medical students. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.
Your data may also be communicated, in addition to the parties listed under item 1, to third parties appointed data processors and providing ancillary services to the activity of ISMETT, such as:
- external consultants,
- volunteer patient care associations,
- catering companies for hospitalized patients,
other subjects providing services instrumental to ISMETT’s operations.
Your data may also be disclosed to independent data controllers in fulfillment of legal obligations or for the protection of one’s rights in judgment (e.g., health service, institutions, municipalities, social security and welfare bodies, national and regional transplant center, disease registers, insurance companies).
The updated list of the hospitals part of the UPMC Group, of the persons appointed as data processors and the independent data controllers who may have access to the data is available from the Data Controller – Office of the Director of Health Care Activities or the DPO, that can be reached at the contact details below.
Information regarding your presence at ISMETT and your health status will only be provided to your relatives and friends, without prejudice to the provisions of law.
In addition to the above, your personal data will be kept in accordance with the Ministry of Health’s requirements pursuant to circular No. 61 of 19 December 1986. In particular, data contained in medical records, and also medical reports, will be kept indefinitely while radiological images will be stored for a period of not less than ten years. More information may be obtained contacting the Data Controller – Office of the Director of Health Care Activities or the DPO at the addresses listed below.
- art. 15 and following of the Regulation Article 15 and following of the Regulation give you the right to obtain:
- confirmation that the paper and electronic archives of ISMETT do not contain personal data that concern you, to obtain a copy on paper or electronic media, and obtain information on data processing (purposes, categories of data, recipients, period of storage etc.);
- update, correction, or integration of data;
- deletion of data in the event of consent withdrawal if the absence of legal basis for data processing;
should this satisfy the assumptions, a copy of your personal data in a structured format;
Should this satisfy the assumptions, data subjects have the right to file a complaint to the Italian Data Protection Authority (“Garante”) for personal data protection, in its capacity of supervisory authority, in accordance with the provided procedures.A template of the request is available from the Italian Data Protection Authority here.
Furthermore:
- Once your electronic file is created you may:
- revoke your consent to its creation;
- request to obscure selected clinical events;
- visualize the accesses that have taken place.
- If you have provided consent to using your data for research purposes, to verify the quality and appropriateness of patient care and treatments, and to schedule clinical activity will be able to:
- withdraw your consent to your data and sample processing at any time, and this will not affect your treatment;
- ask to modify and integrate data: in this case the requests for modifications will be noted without modifying the data, when these operations fail to produce significant effects on the research outcome;
- request that your data used for research purposes be transformed into anonymous form;
obtain information on the projects in which your data have been used, and the list of the centers involved in these projects.
The rights may be exercised contacting the Data Controller – Office of the Director of Health Care Activities at the address of the joint controllers or emailing direzionesanitariaprivacy@ismett.edu or contacting the ISMETT DPO at: ISMETT- Data Protection Officer, 90133 Palermo, Via Descending dei Giudici 4, or emailing dataprotectionofficer@ismett.edu.
Similarly, with regard to data processed in the context of clinical studies and research, the aforementioned rights may be exercised by contacting the Data Controller – Research Office, at the address of the joint controllers, or emailing dataprotectionofficer@ismett.edu .
Co-data controllers are Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione (ISMETT) and UPMC Italy, both headquartered in Discesa dei Giudici 4, 90133 Palermo, Italy.
Last update: July 2022 (Version 2)